[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Information Exposure Through Debug Information

ID: 215Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

The application contains debugging code that can expose sensitive information to untrusted parties.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 		Read application data
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 		 Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.
 		  
Architecture and Design
 		Separation of Privilege
 		Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.
 		  

Relationships
This overlaps other categories.

Related CWETypeViewChain
CWE-215 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

Observed Examples

  1. CVE-2004-2268 : Password exposed in debug information.
  2. CVE-2002-0918 : CGI script includes sensitive information in debug messages when an error is triggered.
  3. CVE-2003-1078 : FTP client with debug option enabled shows password to the screen.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Infoleak Using Debug Information
 		 
OWASP Top Ten 2007 A6
 		Information Leakage and Improper Error Handling
 		CWE_More_Specific
 
OWASP Top Ten 2004 A10
 		Insecure Configuration Management
 		CWE_More_Specific
 

References:
None

© SecPod Technologies